Software Composition Analysis (SCA)
ELI5 Explanation
Your app uses many open-source libraries. SCA checks whether any of those ingredients are known to be unsafe.
Technical Explanation
SCA inventories direct and transitive dependencies, maps them to CVE databases, and highlights exploitable versions. It supports policy decisions using severity, exploit maturity, and upgrade availability. SCA is critical because dependency risks often exceed custom-code risks.
Visual
Hands-on Commands
veracode sca agent --source ./
veracode sca findings --app orders-service
veracode sca findings --severity critical,high
npm ls --all
pip list --outdatedDebugging Scenario
Pipeline fails due to critical CVE in transitive package. Direct dependency is updated but CVE remains because lockfile still points to old subtree. Regenerate lockfile and rebuild artifact to clear finding.
Interview Questions
Beginner
- What is SCA?
- Why are transitive dependencies risky?
- What is a CVE?
- Why can old lockfiles be dangerous?
- How is SCA different from SAST?
Intermediate
- How do you prioritize dependency fixes?
- What is the role of exploitability in prioritization?
- How do you handle no-fix-available CVEs?
- How can dependency pinning reduce risk?
- How do you prevent vulnerable package reintroduction?
Scenario-based
- A critical CVE has no patch yet. Do you block release?
- Upgrading library breaks API compatibility. How do you decide?
- SCA findings differ between local and CI. What causes this?
- Vendor package has private patch unknown to CVE feed. How do you document exception?
- Thousands of legacy dependencies exist. What phased cleanup strategy works?
Real-world Use Case
A SaaS company prevented production exposure by blocking a vulnerable logging library update through automated SCA policy checks.
Summary
SCA protects you from open-source supply chain risk. Next lesson focuses on managing and prioritizing all discovered vulnerabilities.